ISO 27701: one more compliance text or the long-awaited international framework for privacy protection?
Facebook ($5 billion), Cambridge Analytica, Equifax ($700 million), British Airways (€204 million), Marriott (€110 million)… there is no doubt that these record cases and fines contribute to making the following observation increasingly obvious and shared: cybersecurity and privacy protection are new structuring and non-negotiable pillars for companies and organizations. Apple CEO Tim Cook even recently referred to the subject as a “crisis” that needs to be addressed.
But what exactly is ISO 27701?
The International Standard Organisation (ISO) published in August 2019 its standard ISO 27701, which is an extension of ISO 27001 and is intended to specify and define the processes, objectives and measures to be implemented for the protection of personal data and privacy.
Creating and maintaining a Privacy Protection Management System
Like ISO 27001 standard (the reference for IT security), which aims to create an Information Security Management System (ISMS), its extension ISO 27701 aspires to create a System of Privacy Protection Management.
To do this, the standard amends and supplements the processes, requirements and security measures of ISO 27001 and ISO 27002 with specific recommendations for the processing of personal data.
However, it does not only expand the ISO 27001 and ISO 27002 but also adds specific new requirements that are well known to privacy stakeholders (consent management, transparency, minimization, etc.).
In this context, being ISO 27001 certified is a prerequisite for obtaining ISO 27701 certification.
This parameter mechanically narrows down potential candidates for certification, and makes the effort to provide more consistent: review of existing documents, necessary collaboration between the initial WSIS teams and the new PIMS actors, etc.
Despite this effort, the application of this standard offers an excellent opportunity for organizations to further intertwine processes and teams related to cybersecurity and privacy (e.g. linking the processes of Security Integration in Projects and Privacy by Design).
ISO 27701 certified does not mean GDPR compliant
It is important to note that an ISO 27701 certification is not synonymous with GDPR compliance. Indeed, the main purpose of the standard is to establish worldwide principles and rules around Privacy, in a common language. That said, it should be recalled that national authorities (such as the CNIL) participated in the development of the standard and welcomed its publication.
But then, what are the adherences between the ISO 27701 content and the GDPR content?
Regarding the fundamental principles of the GDPR (consent, rights, legality, etc.), the new standard develops a set of requirements covering all the GDPR topics. As the standard is intended to be international, it remains by nature less precise than the GDPR on some topics (i.e. no precision of the deadline to be respected for notifying the authority). It is therefore the responsibility of PIMS to carry out a gap analysis in order to understand what adjustments need to be made to comply with applicable laws.
In addition, concerning personal data security, the adaptations of the requirements of ISO 27001 and ISO 27002 provide a comprehensive repository for organizations that can be used as a basis for compliance with article 32 of the GDPR (dedicated to data security).
… but it can become the strongest credibility mark in personal data protection and privacy on the market.
The main stake for a company in seeking ISO 27701 certification is to give credibility to its Privacy management system and give confidence to stakeholders (business partners, customers, suppliers, employees, authorities…) that the fundamental principles of privacy protection are considered.
The 27701 “stamp” could quickly become a known and internationally recognized pledge of trust. Like ISO 27001, this new standard ISO 27701 could become an essential criterion in tendering phases.
In this perspective, Matthieu Grall of the National Commission for Data Protection (CNIL) states that with “(…) the increase in the number of complaints and sanctions related to confidentiality and data protection, it is obvious that such a standard was necessary. In addition, organizations must demonstrate to the authorities, and their partners, customers and collaborators that they are trustworthy. However, this standard will greatly contribute to inspiring this confidence. ”
Concretely, for whom and why?
The publication of this standard represents an opportunity for several types of organizations:
- In a B2B relationship: a strong pledge of trust vis-à-vis business partners in the context of a collaboration involving the processing of personal data (i.e. a company managing payroll or carrying out communication or marketing operations on behalf of large organizations).
- In a B2C relationship: the certification of a key perimeter of a company that processes the personal data of its customers en masse (i.e. a distributor in the context of its loyalty program, an insurer in the context of its contractual activities…) can eventually become a significant vector of trust vis-à-vis the customers themselves but also vis-à-vis the authorities.
- Within companies: the standard represents a new benchmark that companies can use to develop a clear and shared audit framework. ISO 27701 certification can also represent a way for DPOs and Privacy teams to make tangible the efforts made with their top management.
While there is still uncertainty about its widespread adoption (particularly due to the 27001 certification barrier), there is no doubt that it can quickly establish itself as a confidence-building measure as well as a new standard for internal audit and control.